Lawful Intercept 2.0


Note


To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN Validator, and Cisco vSmart to Cisco Catalyst SD-WAN Controller. See the latest Release Notes for a comprehensive list of all the component brand name changes. While we transition to the new names, some inconsistencies might be present in the documentation set because of a phased approach to the user interface updates of the software product.


Table 1. Feature History

Feature Name

Release Information

Description

Lawful Intercept 2.0

Cisco vManage Release 20.9.1

This feature introduces Lawful Intercept Version 2.0. In the Lawful Intercept 2.0 feature, key information is provided to a law enforcement agency (LEA) by the Cisco Catalyst SD-WAN routers and control components so that they can decrypt the Cisco Catalyst SD-WAN IPsec traffic captured by the Managed Service Provider (MSP). This helps the LEA decrypt the encrypted network traffic information. For information on Lawful Intercept 1.0, see the chapter Lawful Intercept in the Cisco Catalyst SD-WAN Policies Configuration Guide.

Lawful Intercept 2.0 Enhancements

Cisco vManage Release 20.10.1

This feature enhances the Cisco SD-WAN Manager GUI and the troubleshooting options available for the Lawful Intercept feature in Cisco Catalyst SD-WAN.

  • Cisco SD-WAN Manager GUI enhancements:

    • A Sync to vSmart button to synchronize a newly created intercept configuration with the Cisco SD-WAN Controller.

    • A toggle button to enable or disable an intercept.

    • A progress page to display the status of synchronization and activation.

    • A red dot on the task list icon in the Cisco SD-WAN Manager toolbar to indicate any new lawful intercept tasks.

    • A task list pane to view a list of active and completed lawful intercept tasks.

    • An intercept retrieve option Get IRI to retrieve key information or Intercept Related Information (IRI) from the Cisco SD-WAN Controller.

  • Ability to troubleshoot Cisco SD-WAN Controller and Cisco SD-WAN Manager using the debug logs and admin tech files.

Lawful Intercept 2.0 Enhancements

Cisco Catalyst SD-WAN Manager Release 20.12.1

This feature extends Lawful Intercept to multitenancy mode, and provides support for Cisco SD-WAN Manager clusters. For more information on Cisco SD-WAN Manager clusters, see Cluster Management.

Information About Lawful Intercept 2.0

Cisco Catalyst SD-WAN’s Lawful Intercept feature allows an LEA to get a copy of network traffic for analysis or evidence. This is also referred as traffic mirroring. See the chapter Lawful Intercept in the Cisco Catalyst SD-WAN Policies Configuration Guide.

From Cisco vManage Release 20.9.1, Cisco Catalyst SD-WAN implements a new architecture for Lawful Intercept , as shown in the following figure.

Figure 1. Lawful Intercept 2.0 Architecture
Lawful-Intercept-2.0-Architecture

The following are the characteristics of the new architecture:

  • Traffic mirroring is outside the scope of Cisco Catalyst SD-WAN. The LEA works with the corresponding service provider to capture network traffic for mirroring.


    Note


    In the illustration above, the service provider is an underlay connection and the IPsec tunnel is an overlay connection.


  • Because the captured network traffic is encrypted, Cisco SD-WAN Manager and Cisco SD-WAN Controller provide key information to the LEA.

  • The LEA retrieves the keys from Cisco SD-WAN Manager to decrypt Cisco Catalyst SD-WAN IPsec traffic. The LEA ensures that they retrieve key information is retrieved during each rekey period. The rekey period is provided by the service provider. For more information about retrieving keys, see Retrieve an Intercept. For information on rekey period, see Configure Data Plane Security Parameters.

A Lawful Intercept administrator is solely responsible for configuring intercepts and creating Lawful Intercept API users who perform Lawful Intercepts. A Cisco SD-WAN Manager administrator can create an account for the Lawful Intercept administrator; the administrator must be a member of the li-admin group. For more information about creating an account for a Lawful Intercept administrator, see Create Lawful Intercept Administrator.

Prerequisites for Cisco Catalyst SD-WAN Lawful Intercept 2.0

  • A Cisco SD-WAN Controller must be set to vManage mode.

  • For more information about decrypting the IPsec traffic in Cisco Catalyst SD-WAN, contact Cisco Support or Cisco Sales team.

Benefits of Cisco Catalyst SD-WAN Lawful Intercept 2.0

  • It is not necessary to configure edge devices for Lawful Intercepts.


    Note


    To configure an intercept, an administrator must select the edge devices that have to be included in the intercept. This is necessary because the key information that is retrieved from Cisco SD-WAN Manager also includes the keys for the selected devices.


  • The service provider captures the data traffic for interception. Traffic is not intercepted from the edge devices.

Create a Lawful Intercept Administrator

Using the Admin account in Cisco SD-WAN Manager, create an account for the Lawful Intercept administrator.

  1. From the Cisco SD-WAN Manager menu, choose Administration > Lawful Intercept.

  2. Click Add User to create a Lawful Intercept administrator user account.

  3. In the Full Name field, enter a full name for the Lawful Intercept administrator.

  4. In the User Name field, enter a user name for the Lawful Intercept administrator. The user name must be prefixed with li-.

  5. In the Password field, enter a password for the Lawful Intercept administrator.

  6. Confirm the password in the Confirm Password field.

  7. From the User Group drop-down list, choose li-admin, and then click Add.

    The newly created Lawful Intercept administrator user account is displayed in the Users window.

Create a Lawful Intercept API User

The Lawful Intercept API User account is for those users of LEA who log in and retrieve key information using Cisco SD-WAN Manager's REST API. These are the users who perform a lawful intercept of the Cisco Catalyst SD-WAN IPsec traffic.

The LEA use https://{vmanage_ip}/dataservice/li/intercept/retrieve/<intercept_id> to retrieve the key information.

To create a Lawful Intercept API user, perform the following steps:

  1. Log in to Cisco SD-WAN Manager as a Lawful Intercept administrator.


    Note


    When a Lawful Intercept administrator logs in to Cisco SD-WAN Manager, only the Monitor and Administration options are available in the Cisco SD-WAN Manager menu.


  2. From Cisco SD-WAN Manager menu, choose Administration > Lawful Intercept.

  3. Click Add User to create an Lawful Intercept API user account.

  4. In the Full Name field, enter a full name for the Lawful Intercept API user.

  5. In the User Name field, enter a user name for the Lawful Intercept API user. The user name must be prefixed with li-.

  6. In the Password field, enter a password for the Lawful Intercept API user.

  7. Confirm the password in the Confirm Password field.

  8. From the User Group drop-down list, choose li-api, and click Add.

    The newly created Lawful Intercept API user account is displayed in the Users window. The LEA can log in to Cisco SD-WAN Manager using the Lawful Intercept API user account to retrieve key information.

Create an Intercept

Minimum supported release: Cisco vManage Release 20.9.1 and Cisco Catalyst SD-WAN Control Components Release 20.9.1

Configure an intercept to collect intercept data. To configure an intercept, do the following:

  1. From the Cisco SD-WAN Manager menu, choose Administration > Lawful Intercept.

  2. Click the Intercepts tab, and then click Add Intercepts.

  3. Cisco Catalyst SD-WAN Manager Release 20.12.1 and later releases:

    From the Tenant drop-down list, choose a tenant. For more information about adding a tenant, see Add a New Tenant.

  4. In the Intercept ID field, enter a number. Enter a minimum of two digits and a maximum of 25 digits.

  5. In the Description field, enter a description for the intercept.

  6. By default the Enable toggle button is enabled. However, the intercept remains in an inactive state after it is created.

  7. Click Next.

    In single-tenant mode, the Add Edge Devices pop-up window displays all the edge devices in the Cisco Catalyst SD-WAN network.

    Cisco Catalyst SD-WAN Manager Release 20.12.1 and later releases:

    In multi-tenant mode, the Add Edge Devices pop-up window displays all the single-tenant edge devices associated with the selected tenant.

  8. Click one or more edge device names to add to the intercept and click Next.

    Cisco SD-WAN Manager provides the keys for the edge devices selected here.


    Note


    Specify an intercept warrant for all the edge devices that are added to the intercept.


    When an edge device is added for interception, all its peer devices, which are connected in the same network, are also available for Lawful Interception.

  9. The Add LI API users pages displays all the LI-API users created by the Lawful Intercept administrator.

  10. Click one or more user names to add to the intercept. The users selected here can retrieve key information that is required for interception from Cisco SD-WAN Manager. For information on how keys are retrieved for an intercept, see Retrieve an Intercept.

  11. Click Summary

    The summary of the intercept is displayed.

  12. Click Submit. The Intercepts page displays the configured intercept.

  13. Click Sync to vSmart to synchronize the configured intercept configuration in Cisco SD-WAN Manager with Cisco SD-WAN Controller.

    A progress page displays the status of the synchronization and activation. After successful synchronization, the Activate State field displays a green check mark.


    Note


    The Activate State field displays a green check mark status only if Cisco SD-WAN Controller is set to vManage mode.


    If there are any additional Lawful Intercept tasks, a red dot is displayed on the task list icon in the Cisco SD-WAN Manager toolbar. Click the tasks list icon to view a list of all the active and completed Lawful Intercept tasks. You can view up to 500 latest Lawful Intercept tasks.

    If an intercept is modified, the Sync to vSmart button is enabled. Click Sync to vSmart to synchronize the intercept configuration in Cisco SD-WAN Manager with Cisco SD-WAN Controller.


    Note


    The Sync to vSmart button is enabled only when a new intercept is created, or when an intercept is edited or deleted.


    To retrieve key information that is required for interception, click , and then click Get IRI. The IRI is retrieved from Cisco SD-WAN Controller and displayed in Cisco SD-WAN Manager.

Retrieve an Intercept

An LEA is responsible to periodically retrieve key information because this information is required to decrypt the traffic captured by the MSP.

An LEA can retrieve key information by using Cisco Catalyst SD-WAN Manager REST APIs.

  1. An LEA logs in to Cisco SD-WAN Manager as a Lawful Intercept API user.

  2. After a Lawful Intercept API user is authenticated, the LEA sends a request using the Cisco SD-WAN Manager REST APIs specifying the intercept ID that it wants to get the key information for.

  3. When a request from the LEA is received by Cisco SD-WAN Manager, Cisco SD-WAN Manager forwards the request to the Cisco SD-WAN Controller on which intercepts are configured.

  4. Cisco SD-WAN Controller then retrieves the key information for the specified intercept ID and returns the key information to Cisco SD-WAN Manager in JSON format.